x11vnc: -unixpw_cmd, -passwfile cmd:/custom:, -sslnofail, -ultrafilexfer

1 files changed, 67 insertions, 11 deletions

diff --git a/x11vnc/help.c b/x11vnc/help.c
index 0959cb8..c66c10d 100644
--- a/x11vnc/help.c
+++ b/x11vnc/help.c
@@ -315,10 +315,11 @@ void print_help(int mode) {
 "                       change the global or per-client viewonly state the\n"
 "                       filetransfer permissions will NOT change.\n"
 "\n"
-"                       Note, to *enable* UltraVNC filetransfer (currently\n"
+"-ultrafilexfer         Note, to *enable* UltraVNC filetransfer (currently\n"
 "                       disabled by default, this may change...) and to get it\n"
 "                       to work you probably need to supply these libvncserver\n"
 "                       options: \"-rfbversion 3.6 -permitfiletransfer\"\n"
+"                       \"-ultrafilexfer\" is an alias for this combination.\n"
 "\n"
 "-http                  Instead of using -httpdir (see below) to specify\n"
 "                       where the Java vncviewer applet is, have x11vnc try\n"
@@ -434,20 +435,59 @@ void print_help(int mode) {
 "-passwdfile filename   Specify the libvncserver password via the first line\n"
 "                       of the file \"filename\" (instead of via -passwd on\n"
 "                       the command line where others might see it via ps(1)).\n"
-"                       See below for how to supply multiple passwords.\n"
+"\n"
+"                       See the descriptions below for how to supply multiple\n"
+"                       passwords, view-only passwords, to specify external\n"
+"                       programs for the authentication, and other features.\n"
 "\n"
 "                       If the filename is prefixed with \"rm:\" it will be\n"
 "                       removed after being read.  Perhaps this is useful in\n"
-"                       limiting the readability of the file.  In general,\n"
-"                       the password file should not be readable by untrusted\n"
-"                       users (BTW: neither should the VNC -rfbauth file:\n"
-"                       it is NOT encrypted, only obscured).\n"
+"                       limiting the readability of the file.  In general, the\n"
+"                       password file should not be readable by untrusted users\n"
+"                       (BTW: neither should the VNC -rfbauth file: it is NOT\n"
+"                       encrypted, only obscured with a fixed key).\n"
 "\n"
 "                       If the filename is prefixed with \"read:\" it will\n"
-"                       periodically be checked for changes and reread.\n"
-"\n"
-"                       Note that only the first 8 characters of a password\n"
-"                       are used.\n"
+"                       periodically be checked for changes and reread.  It it\n"
+"                       guaranteed to be reread just when a new client connects\n"
+"                       so that the latest passwords will be used.\n"
+"\n"
+"                       If \"filename\" is prefixed with \"cmd:\" then the\n"
+"                       string after the \":\" is run as an external command:\n"
+"                       the output of the command will be interpreted as if it\n"
+"                       were read from a password file (see below).  If the\n"
+"                       command does not exit with 0, then x11vnc terminates\n"
+"                       immediately.  To specify more than 1000 passwords this\n"
+"                       way set X11VNC_MAX_PASSWDS before starting x11vnc.\n"
+"                       The environment variables are set as in -accept.\n"
+"\n"
+"                       Note that due to the VNC protocol only the first 8\n"
+"                       characters of a password are used (DES key).\n"
+"\n"
+"                       If \"filename\" is prefixed with \"custom:\" then a\n"
+"                       custom password checker is supplied as an external\n"
+"                       command following the \":\". The command will be run\n"
+"                       when a client authenticates.  If the command exits with\n"
+"                       0 the client is accepted, otherwise it is rejected.\n"
+"                       The environment variables are set as in -accept.\n"
+"\n"
+"                       The standard input to the custom command will be a\n"
+"                       decimal digit \"len\" followed by a newline. \"len\"\n"
+"                       specifies the challenge size and is usually 16 (the\n"
+"                       VNC spec).  Then follows len bytes which is the random\n"
+"                       challenge string that was sent to the client. This is\n"
+"                       then followed by len more bytes holding the client's\n"
+"                       response (i.e. the challenge string encrypted via DES\n"
+"                       with the user password in the standard situation).\n"
+"\n"
+"                       The \"custom:\" scheme can be useful to implement\n"
+"                       dynamic passwords or to implement methods where longer\n"
+"                       passwords and/or different encryption algorithms\n"
+"                       are used.  The latter will require customizing the VNC\n"
+"                       client as well.  One could create an MD5SUM based scheme\n"
+"                       for example.\n"
+"\n"
+"                       File format for -passwdfile:\n"
 "\n"
 "                       If multiple non-blank lines exist in the file they are\n"
 "                       all taken as valid passwords.  Blank lines are ignored.\n"
@@ -611,6 +651,17 @@ void print_help(int mode) {
 "                       to use -users unixpw= to switch the process user after\n"
 "                       the user logs in.\n"
 "\n"
+"-unixpw_cmd str        As -unixpw above, however do not use su(1) but rather\n"
+"                       run the externally supplied command \"str\".  The first\n"
+"                       line of its stdin will the username and the second line\n"
+"                       the received password.  If the command exits with status\n"
+"                       0 (success) the VNC client will be accepted.  It will be\n"
+"                       rejected for any other return status.  Dynamic passwords\n"
+"                       and non-unix passwords can be implemented this way by\n"
+"                       providing your own custom helper program.  Note that\n"
+"                       under unixpw mode the remote viewer is given 3 tries\n"
+"                       to enter the correct password.\n"
+"\n"
 #endif
 "-display WAIT:...      A special usage mode for the normal -display option.\n"
 "                       Useful with -unixpw, but can be used independently\n"
@@ -792,6 +843,11 @@ void print_help(int mode) {
 "                       Set to zero to poll forever.  Set to a negative value\n"
 "                       to use the builtin setting.\n"
 "\n"
+"-sslnofail             Exit at the first SSL connection failure. Useful when\n"
+"                       scripting SSL connections (e.g. x11vnc is started via\n"
+"                       ssh) and you do not want x11vnc waiting around for more\n"
+"                       connections, tying up ports, etc.\n"
+"\n"
 "-ssldir [dir]          Use [dir] as an alternate ssl certificate and key\n"
 "                       management toplevel directory.  The default is\n"
 "                       ~/.vnc/certs\n"
@@ -3340,7 +3396,7 @@ void print_help(int mode) {
 "\n"
 "                        stunnel, ssl, unixpw, WAIT, id, accept, afteraccept,\n"
 "                        gone, pipeinput, v4l-info, rawfb-setup, dt, gui,\n"
-"                        storepasswd, crash.\n"
+"                        storepasswd, passwdfile, custom_passwd, crash.\n"
 "\n"
 "                       See each option's help to learn the associated external\n"
 "                       command.  Note that the -nocmds option takes precedence\n"